I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

.

My research into this subject shows that data access policy ideally involves not only full-time employees, but should also cover part-timers, temp workers, contractors, customers, partners or anyone else who might occasionally have a legitimate need to access an organization's data. It's also interesting to find two basic forms of access policy:

What's often called an "Employee Access to Organizational Data" document also addresses policy for part-timers, temps and so forth. Here we're talking about describing what qualifies as sensitive data, who has the need to know such information and the kinds of access that will be permitted.

An "Employee Internet Access Policy" or an "Acceptable Use Policy" deals with the kinds of public information that employees may legitimately access, use and discuss on the job. It also addresses other sorts of information, graphics and so forth from which they should steer clear.

Between the two forms of policy we find a set of rules governing who may access what and a lot of information about what's appropriate in the workplace (and by exclusion, extension or specific mention, what's not).

Most security experts agree that managing access controls to organizational data requires going through at least three detailed and important exercises:

Identifying various types of and repositories for sensitive data

Assessing the risks involved should such data be lost, stolen or disclosed to unauthorized third parties

Describing job roles that relate to each type of sensitive data and what kinds of access is required for each job role

In general, these exercises boil down to taking stock of your organization's data, who accesses it and for what purposes. Because entire sections of security texts and courses are devoted to data classification, risk assessment and job role analysis that lead to role-based access control schemes, forgive me for glossing over a serious and involved subject in fairly short order. Any good infosec certification will give these subjects their due, as will any good infosec fundamentals textbook.

Internet access or acceptable use policies are usually designed to prevent encounters with questionable or potentially offensive documents, graphics and so forth, in the workplace. The idea is to draw boundaries on the limits of what users may view or read while in the workplace, so as to prevent possible perceptions of or accusations regarding creation of a hostile or negative work environment. Most companies deploy firewall filters that block known sources of questionable content and use policy to warn users in advance to stay away from other examples of such information that might escape filters.

As always, the key to successful policy implementation is education. It's absolutely essential to not just capture access control and acceptable access rules in policy documents and employee handbook materials, but to make sure users understand their content and intent. To that end, many companies require employees to sign a legal acknowledgement that they have read and understood such materials, and agree to be legally bound by them. Consequences for failures to adhere to such policies should also be clearly spelled out and explained to employees and others who must abide by these rules.

Please feel free to e-mail me with feedback, comments or questions at etittel@yahoo.com.

About the authorEd Tittel is VP of Content Services at iLearning, a CapStar company, based in Austin, Texas. As creator and series editor for Exam Cram 2, Ed's worked on numerous titles on Microsoft, Novell, CompTIA and security certifications, including Security+, CISSP and TICSA.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy